[11600] in bugtraq
Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Mon Aug 30 10:14:12 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <lcamtuf.4.05.9907050840170.680-100000@nimue.ids.pl>
Date: Mon, 5 Jul 1999 08:50:01 +0200
Reply-To: Michal Zalewski <lcamtuf@IDS.PL>
From: Michal Zalewski <lcamtuf@IDS.PL>
X-To: "Michael K. Johnson" <johnsonm@REDHAT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199908251633.MAA01146@tristan.devel.redhat.com>
On Wed, 25 Aug 1999, Michael K. Johnson wrote:
> To change this behaviour in the way Michal wants would require that
> all console-switching activity be controlled only by root. This would
> have a detrimental effect on security, because it would increase the
> number of setuid applications on the system. So this is not a kernel
> bug, and since the behaviour Michal wants would have to be enforced in
> the kernel and vlock is not capable of changing it, it is not a vlock
> bug either.
I did not agree it is not a bug, because it allows breaking security
scheme offered by vlock. But, for sure, I agree it's not a kernel bug, and
not a vlock bug neither... Noone owns this vulnerability, but it is a
vulnerability, as one of security mechanisms can be bypassed somehow :)
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
